CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
92.9%
ICS-CERT has received a report from Siemens regarding two security vulnerabilities in the Scalance S Security Module firewall. This vulnerability was reported to Siemens by Adam Hahn and Manimaran Govindarasu for coordinated disclosure.
The first issue is a brute-force credential guessing vulnerability in the web configuration interface of the firewall. The second issue is a stack-based buffer overflow vulnerability in the Profinet DCP protocol stack.
Siemens has published a patch that resolves both of the identified vulnerabilities.
The following Scalance S Security Modules are affected:
Successful exploitation of the brute-force vulnerability may allow an attacker to perform an arbitrary number of authentication attempts using different password and eventually gain access to the targeted account.
Successful exploitation of the stack-based buffer overflow against the Profinet DCP protocol may lead to a denial of service (DoS) condition or possible arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
The Scalance S product is a security module that includes a Stateful Inspection Firewall for industrial automation network applications. This security module is intended to protect automation devices and industrial networks against unauthorized access and to secure Ethernet-based industrial communication.
This Siemens product is intended to protect trusted industrial networks from outside facing or untrusted networks. All Scalance S Security Modules provide filtering of incoming and outgoing network connections with stateful packet inspection. This product is used predominately in Europe and Asia with a small US footprint. The primary sectors deploying Scalance S are Automotive, Defense Industrial Base, Energy, Critical Manufacturing, Transportation Systems, Chemical, and Water.
The web server in the Scalance S Security Module does not implement sufficient measures to prevent rapid multiple authentication attempts within a short timeframe, making it susceptible to brute-force attacks by attackers with access to the web server. If the administrative password is found, the attacker
can manipulate the configuration and gain access to the trusted network.
CVE-2012-1799 has been assigned to this vulnerability. A CVSS V2 base score of 10.0 has also been assigned.
The Scalance S DCP protocol stack crashes when a specially crafted DCP frame is received, which may renders the firewall unresponsive and interrupts established VPN tunnels. Successful exploitation of this vulnerability may lead to a denial of service (DoS) condition or possible arbitrary code execution.
CVE-2012-1800 has been assigned to this vulnerability. Siemens has assigned a CVSS V2 base score of 6.1.
These vulnerabilities are remotely exploitable.
No known exploits specifically target these vulnerabilities.
An attacker with a moderate skill level would be able to exploit these vulnerabilities.
Siemens has published a patch that resolves both of the identified vulnerabilities and strongly recommends installing the updates by using the following links:
For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
http://www.siemens.com/industrialsecurity •
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html •
support.automation.siemens.com/WW/view/en/59869684
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1799
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1800
www.siemens.com/cert
www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-268149.pdf
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-102-05
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20Scalance%20S%20Multiple%20Security%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-12-102-05
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-102-05&title=Siemens%20Scalance%20S%20Multiple%20Security%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-102-05
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20Scalance%20S%20Multiple%20Security%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-12-102-05